From: Andrew Beverley <andy@andybev.com>
To: dmitry.korzhevin@stidia.com
Cc: netfilter@vger.kernel.org
Subject: Re: Question about xt_ipp2p module
Date: Wed, 27 Mar 2013 17:56:54 +0000 [thread overview]
Message-ID: <1364407014.1819.27.camel@andrew-desktop> (raw)
In-Reply-To: <5152B9AE.4020901@stidia.com>
On Wed, 2013-03-27 at 11:19 +0200, Dmitry Korzhevin wrote:
> 26.03.2013 23:28, Andrew Beverley пишет:
> > On Tue, 2013-03-26 at 21:53 +0200, Dmitry Korzhevin wrote:
> >> Hi,
> >>
> >> I'm using Debian 6.0.7 x86_64. I have installed xtables with xt_ipp2p
> >> and seems i did something wrong, because my rules doesn't drop
> >> bittorrent traffic.
> >
> > My gut instinct is it's not working because ipp2p is old software and
> > may not match the bittorrent stream that you are using.
> >
> >> 1 33 2970 ACCEPT all -- eth0 * 10.2.0.2
> >> 0.0.0.0/0 policy match dir in pol ipsec reqid 116 proto 50
> >> 2 26 10983 ACCEPT all -- * eth0 0.0.0.0/0
> >> 10.2.0.2 policy match dir out pol ipsec reqid 116 proto 50
> >> 3 0 0 DROP all -- * * 0.0.0.0/0
> >> 0.0.0.0/0 ipp2p --bit
> >
> > Nonetheless, given that the default policy is ACCEPT, why not just
> > delete rules 1 and 2 to check whether that is the problem?
> >
> > Are you forwarding the bittorrent traffic to another machine or
> > downloading it locally? I see that you are using rules in both the INPUT
> > and FORWARD chains.
>
> Thank you for answer! But, i'm testing this netfilter module according
> various internet howtos, where people claim that this module can block
> bittorrent traffic.
Yes, but that doesn't mean that it is guaranteed to match every
bittorrent implementation.
An alternative way of matching bittorrent traffic is to use the
connlimit module to look for lots of connections from a client above
ports 1024. This is pretty brutal and prone to false-positives, but it
may work for you. There is an example here:
http://andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux
BTW: Please don't top-post.
Andy
next prev parent reply other threads:[~2013-03-27 17:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5151FCD4.8020901@stidia.com>
2013-03-26 21:28 ` Question about xt_ipp2p module Andrew Beverley
[not found] ` <5152B9AE.4020901@stidia.com>
2013-03-27 13:32 ` Jan Engelhardt
2013-03-27 17:52 ` Andrew Beverley
2013-03-28 17:59 ` Jan Engelhardt
2013-03-27 17:56 ` Andrew Beverley [this message]
2013-03-26 19:55 Dmitry Korzhevin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1364407014.1819.27.camel@andrew-desktop \
--to=andy@andybev.com \
--cc=dmitry.korzhevin@stidia.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.